Skip to content

Privileged session management

This section introduces Privileged Session Management which requires additional licencing options. The following sections are covered:

Introduction

To use the session recording feature it must be included in your licence and will be visible in the enabled features list on the System Configuration > Licencing tab.

The features provided by Privileged Session Management are:

  • Recording of privileged sessions of SSH, HTTP, HTTPS, ESXi, RDP, VNC and Telnet activities.

  • Sessions to be selectively recorded include:

    • All privileged activities.
    • Activities of specifically targeted individuals.
    • Activities of all members in a selected profile.
    • Activities that take place throughout the infrastructure.
  • Active sessions can be shadowed.
  • A simple process to store and access recordings.
  • A search and playback interface that allows recordings to be easily searched by user, device, time and keystrokes.

Recording of sessions are driven by profiles. Profiles are used to control which devices are recorded for which users.

Device session connections through the UI are opened within an embedded browser so only the session window is recorded.

Configuring privileged session recorder

The following session recording related settings will be available for configuration on the System Configuration > Client settings tab:

Client settings tab

Hide session recording overlay

The Session Recording Overlay is enabled by default. It allows a Recording icon to appear in the top left hand corner of the device session. It informs the user that their session is being recorded.

Example session recorded window

To hide the Session Recording Overlay:

  1. Within the System Configuration page, click on the Client Settings tab.

  2. Click on the Edit pencil icon for Hide session recording overlay.

  3. Uncheck the Checked box Enabled box.

  4. Click SAVE. The Recording icon will no longer be visible on device connections that are being recorded.

Session recording terms of use

The Session Recording Terms of use can be configured and updated to reflect a company’s policy when accessing the corporate network, which the user must abide by in order to access devices and run tasks.

The session recording terms of use message will appear when the user opens a device session and must be accepted before being allowed to continue to the session. If the user declines the terms of use the device session will be terminated.

To update the terms of use message:

  1. Click on the Edit pencil icon for Session Recording Terms of use.

  2. Enter the new terms into the value box.

    SR terms of use

    The window header should be placed in square brackets and the body of the message after it.

    Example:

    [Session Recording Terms of Use] By clicking ACCEPT you agree to have your session recorded and/or monitored by Osirium PAM.

    SR terms of use example

  3. Click SAVE.

    Each time the user opens a device session which has been configured for session recording, the Session Recording Terms of Use message will appear.

    Note

    If users are already connected when the Session Recording Terms of use is applied, then they won't see the message until the next time they connect.

Configuring a profile for session recording

To record a user’s device connections, a profile needs to be configured. A profile will link together a group of users, tools, and devices that will be recorded.

To create a profile to record sessions:

  1. Click Profiles in the left-hand menu.

  2. Within the Manage profiles window click the Add icon NEW PROFILE

  3. Within the New profile window, give the profile a name.

    New profile window

  4. Check the Checked box Session Recording box.

  5. Click SAVE.

  6. On the Manage profiles page, click the new profile.

  7. Within the Profile detail page, add devices, users, tools and tasks. Now when a user opens a connection to a device listed in the profile, the session will be recorded.

    Note

    Recorded sessions will be visible on the Device access report page. See Device access report.

Viewing and playing session recordings

Device connections can be shadowed or played back on the Device access report.

See Device Access Report.

The sessions which are recorded are:

  • Captured at 1 frame per second snapshot of the active window.
  • The captured frames are:
    • Stored as PNG bitmap image files.
    • Compressed using gzip.
    • Represented by 16 bits per pixel.
  • The size of the recorded screenshots will differ based on the protocol and window size captured.
  • Not recorded as a video, but as individual screenshots taken every second that can then be played back as a video.
  • Have a fixed bandwidth requirement because the session only sends one image per second.
  • You can start multiple sessions which are session recorded (channel open), but only the active window is recorded. The recording is paused, and then restarted if you switch between the different sessions windows.

    For example:

    Device Frame 1 Frame 2 Frame 3 Frame 4 Frame 5 Frame 6
    Channel 1 vSphere Active image Active image No image Active image No image No image
    Channel 2 F5 SSH No image No image Active image No image Active image Active image
  • Recorded sessions are stored locally unless an external filestore has been configured, in which case all session recordings will be automatically saved to the external filestore.

  • The naming convention for the recorded sessions are as follows:

    /sessions/session/screenshot_.png

Searching session recordings

The Fuzzy filter allows you to search inside recorded connections.

The search term is matched against:

  • The keystrokes entered during a connection.
  • The titles of recorded device connection windows.

    Note

    The window refers to the tool opened to access the device.

See Device Access Report.

Archive screenshots

See Device Access Report.

Shadowing a connection being recorded

Shadowing an active recorded connection shows a live view of the connection in progress.

To shadow an active connection being recorded:

  1. Click on Device access in the right hand menu.

  2. Within the Device access report window, check the checkbox next to PAM sessions.

  3. The PAM sessions section will now be added to the Device access report window.

    Device connections tab

  4. To shadow an active connection being recorded, click the Shadow icon Shadow connection icon.

  5. The Session Player window opens and states that you are shadowing the selected connection.

    Screenshot player

    During the shadowing of an active connection:

    • If the shadowed user opens a new recorded device connection, you will be notified, and can either wait for the shadowed window to become active again, or click to shadow the new recorded connection.
    • If the shadowed user moves focus away from the recorded window, you will be notified, and can either wait for the user to switch focus back to the shadowed connection, or stop shadowing the connection.